The original intention of writing this article is that I encountered a bug about the SameSite default property value change in the project, and suddenly found that the iframe embedded in the website could not be logged in. I did some research and learned that this could be caused by changing the SameSite property default to Lax.

The questions are as follows:

Website: http://a.demo.com

Embedded site: https://b.demo.com

The Cookie under the domain name of. Demo.com (unified login state under the domain name of. Demo.com) was not carried when the request was sent to b.demo.com, so the embedded website could not be logged in.

Cross-site requests do not carry cookies in some cases, but a.demo.com and B.demo.com are clearly the same site, can carry cookies….

Later, referring to English sources, it is found that cross-protocols (HTTP, HTTPS) are also classified as cross-site behavior.

Oh ~

As a result of making up some of this knowledge, in order to forget later, here is a record.

What is cross-station?

The same-site judgment criteria in cookies are as follows: Effective Top Level Domain (eTLD)+1, that is, effective top-level Domain name + second-level Domain name is the same. A valid top-level domain name is one that is registered in a list of public suffixes maintained by Mozilla, such as.com,.co.uk,.github. IO, etc. (also often called a public suffix).

For example:

  • A.taobao.com is the same site as B.Taobao.com
  • A. github. IO and B. github. IO cross-site
  • A.taobao.com cross-site with A.tianmao.com
  • A.taobao.com and A.Taobao.com cross-site cross-agreement is also cross-site (supplement)

When we talked about cookies before, it was all in the case of visiting A.tmall.com, any user behavior (jump, request, etc.) under the domain name of. Tmall.com will actively carry cookies under the domain name of. However, some cross-site behaviors (such as POST requests to A.taobao.com) do not carry cookies, due to the SameSite property of cookies.

The same station/cross-station mentioned above is equivalent to the first party/third party. Usually, what we call cross-site request is actually a third-party request, and the Cookie carried by it is the third-party Cookie, while the Cookie carried by the same-site request is the first-party Cookie.

Do cross-site requests carry cookies?

We learned above how to distinguish between same-site/cross-site requests and that cross-site requests sometimes do not carry third-party cookies. Whether or not this carries a Cookie depends on the SameSite property of the Cookie.

Browsers previously set the default value for the SameSite property to None, meaning that third-party cookies are allowed for cross-site requests.

However, the Chrome80 release in February set the default value of the SameSite property to Lax, meaning that only partial cross-site behavior is allowed to carry third-party cookies.

As for how to define this “part”, please refer to the following table:

Of course, if you want cross-site Ajax requests to carry a Cookie, you can set the SameSite property of that Cookie to None.

Why do browsers limit cross-site request Cookie portability?

There are network security problems caused by cookies, such as the CSRF and XSS attacks we are familiar with, which are related to cookies.

Please refer to the following article for details:

CSRF attacks refer to this article

XSS attacks refer to this article

Reference article:

Web. Dev/samesite – co…

Juejin. Cn/post / 684490…

Juejin. Cn/post / 691188…